{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/route-table/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["EC2"],"_cs_severities":["low"],"_cs_tags":["aws","cloudtrail","ec2","route-table","persistence","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Amazon Web Services"],"content_html":"\u003cp\u003eAttackers can manipulate AWS EC2 route tables to achieve various malicious objectives. Modifications or deletions of route tables and their associations, using actions like \u003ccode\u003eReplaceRoute\u003c/code\u003e, \u003ccode\u003eReplaceRouteTableAssociation\u003c/code\u003e, \u003ccode\u003eDeleteRouteTable\u003c/code\u003e, \u003ccode\u003eDeleteRoute\u003c/code\u003e, and \u003ccode\u003eDisassociateRouteTable\u003c/code\u003e, may indicate attempts to disrupt network traffic, reroute communications to attacker-controlled infrastructure, or establish persistence within the compromised AWS environment. This activity is often performed after initial access is gained through other means. Defenders should monitor these events closely for unexpected changes, particularly those originating from unfamiliar users or locations. While routine administration can trigger similar events, understanding the context and intent behind these actions is crucial to differentiating legitimate activity from malicious behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, potentially through compromised credentials or by exploiting a vulnerability in an application running within the environment.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing EC2 route tables to identify potential targets for manipulation using \u003ccode\u003eec2:DescribeRouteTables\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eec2:ReplaceRoute\u003c/code\u003e to modify a route within a route table, redirecting traffic destined for a specific CIDR block to an attacker-controlled instance.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uses \u003ccode\u003eec2:ReplaceRouteTableAssociation\u003c/code\u003e to associate a subnet with a malicious route table they control, effectively hijacking traffic from that subnet.\u003c/li\u003e\n\u003cli\u003eTo remove evidence or prevent legitimate access, the attacker might use \u003ccode\u003eec2:DeleteRouteTable\u003c/code\u003e to delete a critical route table.\u003c/li\u003e\n\u003cli\u003eThe attacker can also use \u003ccode\u003eec2:DeleteRoute\u003c/code\u003e to remove specific routes which may impede their lateral movement or persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eec2:DisassociateRouteTable\u003c/code\u003e to break existing subnet associations, disrupting network connectivity.\u003c/li\u003e\n\u003cli\u003eThe final objective could be data exfiltration, denial of service, or maintaining long-term access to the compromised environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification or deletion of EC2 route tables can lead to significant disruptions in network traffic, potentially causing downtime for critical applications and services. Attackers can reroute sensitive data through their own infrastructure, enabling data theft or manipulation. This activity impacts cloud infrastructure and can lead to a loss of confidentiality, integrity, and availability. The risk is elevated if critical infrastructure components are affected, requiring immediate incident response to mitigate the damage and restore normal operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable AWS CloudTrail and monitor \u003ccode\u003eReplaceRoute\u003c/code\u003e, \u003ccode\u003eReplaceRouteTableAssociation\u003c/code\u003e, \u003ccode\u003eDeleteRouteTable\u003c/code\u003e, \u003ccode\u003eDeleteRoute\u003c/code\u003e, and \u003ccode\u003eDisassociateRouteTable\u003c/code\u003e events to detect suspicious route table modifications or deletions as described in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS EC2 Route Table Modified or Deleted\u0026quot; to your SIEM to detect unauthorized changes to route tables, ensuring to tune it for your specific environment.\u003c/li\u003e\n\u003cli\u003eInvestigate the \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e field to determine the user or role initiating the action and validate their authorization to perform these operations, as described in the rule documentation.\u003c/li\u003e\n\u003cli\u003eMonitor the \u003ccode\u003esource.ip\u003c/code\u003e and \u003ccode\u003euser_agent.original\u003c/code\u003e fields in CloudTrail logs to identify unusual or suspicious sources of route table modifications as described in the investigation steps.\u003c/li\u003e\n\u003cli\u003eImplement the principle of least privilege by limiting route table modification permissions to specific trusted users, roles, or automation accounts and using IAM conditions, referencing the remediation steps from the provided documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-aws-ec2-route-table-modified/","summary":"An attacker modifies or deletes AWS EC2 route tables to disrupt network traffic, reroute communications, or maintain persistence in a compromised environment.","title":"AWS EC2 Route Table Modification or Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-09-aws-ec2-route-table-modified/"}],"language":"en","title":"CraftedSignal Threat Feed - Route-Table","version":"https://jsonfeed.org/version/1.1"}